1. Home
  2. Cisco Systems
  3. ASA 5510 - Routable Addr's for DMZ?

ASA 5510 - Routable Addr's for DMZ?

Hi, Folks.

I've got a 2600 that's a little overwhelmed. CPU goes to 100% when you put any NAT'd traffic through it.

I'm thinking about replacing it with an ASA 5510. Currently, my DMZ has valid/routable IP addr's. 3 distinct blocks, /26, another /26 and a /28.

My questions are:

1) Can I assign routable IP addresses to the DMZ on the ASA 5510.. and setup ACL's to provide firewall functionality.. NO NAT..?

2) Can I assign multiple netblocks to the DMZ interface? (i.e. like 'secondary' addresses?)

Thanks very much, everyone!

-- Scott.

(email replies would be appreciated)

Reply to
Scott Davis
Loading thread data ...

Hi Scott,

1) Yes, the ASA can have routable IP addresses assigned to it's DMZ interface, no problem. There is even a new option that tells the ASA to actually do no nat at all (allow unnatted traffic). 2) No, not directly. The ASA can only have one single IP address assigned to an interface. There is a possibility though. You could setup multiple, logical, firewalls within one single ASA box and let each one have it's own DMZ interface using a different IP block. The physical DMZ interface can then be shared by all logical firewalls. Personally I wouldn't prefer such a setup and go for a setup with NAT where you define static translations for the public IP addresses on the outside to your addresses on the dmz.

Erik

Reply to
Erik Tamminga

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.